about that theme DNAeon im having the exact same problems with 8.0-STABLE. the goal is to get a vpn connection to access samba, so the thing is that everything works if i disable the firewall, but if pf is on, although there is nothing blocking from pf when i tcpdump pflog0 i cant ping from the remote to the local lan ip of the server, the other way around works. sure i cant access sambas network when pf is on, when its off theres no problem at all. i kinda cant figure this out because pflog0 is not showing me any blocking from his side.

about that theme DNAeon im having the exact same problems with 8.0-STABLE. the goal is to get a vpn connection to access samba, so the thing is that everything works if i disable the firewall, but if pf is on, although there is nothing blocking from pf when i tcpdump pflog0 i cant ping from the remote to the local lan ip of the server, the other way around works. sure i cant access sambas network when pf is on, when its off theres no problem at all. i kinda cant figure this out because pflog0 is not showing me any blocking from his side.

some help .. thanks

Hi roko,

The proxy arp issues were fixed in RELENG_8 and 8.1-RELEASE, so your issue should be more like a configuration problem.

Can you show your mpd.conf and PF rules?

Regards,

__________________"I never think of the future. It comes soon enough." - A.E

external="em0"
internal="em1"
local="em3"
ipv6="stf0"
pptp="ng0"
intranal="10.0.0.0/24"
intranallocal="10.0.1.0/24"
services="{ 21, 25, 53, 50, 60, 70, 80, 110, 443, 995, 2525 }"
portsopen="{ 47, 2525, 1723, 10000, 10001 }"
ircportsopen="{ 10001 }"
irc="{ IPS }"
ipsopen="{ IPS }"
ip6sopen="{ IPS6 }"
blockaniipji="{ IPS }"
ports="{ 21 }"
icmp_types="echoreq"
set block-policy drop
set loginterface $external
set skip on lo0
scrub in all
scrub on $internal
scrub on $external random-id max-mss 1452 reassemble tcp fragment reassemble
nat on $external from $intranal to any -> ($external)
nat on $external from $intranallocal to any -> ($external)
rdr on $external proto tcp from any to $external port 60606 -> 10.0.0.2 port 60606
# START - XTREAMER - FTP
rdr on $external proto tcp from any to $external port 10002 -> 10.0.0.5 port 21
rdr on $external proto tcp from any to $external port 10003 -> 10.0.0.5 port 80
rdr on $external proto tcp from any to $external port 1024:1050 -> 10.0.0.5
# END - EXTREAMER - FTP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#rdr on $internal proto tcp from any to any port 21 -> 127.0.0.1 port 21
block in log quick on $external inet proto tcp from any to any flags FUP/FUP
block in log quick on $external proto tcp from any to any flags SAFRPU/SAFRPU
block in log quick on $external proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $external proto tcp from any to any flags SF/SF
block in log quick on $external proto tcp from any to any flags SR/SR
block in inet proto icmp all icmp-type $icmp_types
block in log quick on $external proto tcp from $blockaniipji to $external
#pass in inet proto icmp icmp-type $icmp_types from $internal to any keep state
#pass inet proto icmp icmp-type $icmp_types from any to $external keep state
#block return-rst in quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto udp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto icmp from any to any
block in log all
block out log all
anchor "ftp-proxy/*"
antispoof quick for { lo $internal }
antispoof quick for { lo $local }
pass in on $pptp inet from any to any
pass out on $pptp inet from any to any
pass in proto gre all keep state
pass out proto gre all keep state
# IP-TV ZA MREZO #
pass in on $external inet proto igmp to 224.0.0.0/4 allow-opts
pass in on $external inet proto udp to 224.0.0.0/4
pass out on $external inet proto igmp from $external to 224.0.0.0/4 allow-opts
pass in on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass in on $internal inet proto udp from 10.0.0.0/24
pass out on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass out on $internal inet proto udp to 224.0.0.0/4
# KONEC IP-TV ZA MREZO #
# START OF IPV6
pass in on $ipv6 inet6 from any to any keep state
#pass in on $external inet proto ipv6 from any to $external keep state
pass in on $internal inet proto ipv6 from any to any keep state
pass out on $ipv6 all
pass out on $external inet proto ipv6 from $external to any keep state
pass in on lo all
pass out on lo all
# END OF IPV6
# START - XTREAMER - FTP
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 21 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 80 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state
pass out quick on $internal inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state
# END - XTREAMER - FTP
# START OF PORT FORWARDING THROUGH NAT
pass out on $internal inet proto tcp from any to 10.0.0.2 port 60606 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 21 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 80 keep state
# END OF PORT FORWARDING THROUGH NAT
pass out on $external inet proto udp all keep state
pass out on $external inet proto icmp from any to any keep state
pass out on $external inet proto tcp from any to any
pass out on lo inet proto tcp from any to any port 953 keep state
pass in on lo inet proto tcp from any to any port 953 keep state
# WEBMAIL
pass in on lo inet proto tcp from any to any port 143 keep state
pass out on lo inet proto tcp from any to any port 143 keep state
pass out on lo inet proto tcp from any to any port 25 keep state
pass in on lo inet proto tcp from any to any port 25 keep state
# END OF WEBMAIL
pass in on $external proto tcp from any to any port > 49151 keep state
pass in on $external inet proto udp from any to any port domain keep state
pass in on $internal inet from $intranal to any modulate state
pass in on $local inet from $intranallocal to any modulate state
pass out on $internal inet from $intranal to any modulate state
pass out on $local inet from $intranallocal to any modulate state
pass in on $external inet proto tcp from $ipsopen to $external port $portsopen keep state
#pass in quick on $external inet6 proto tcp from $ip6sopen to $external port $portsopen keep state
pass in on $external inet proto tcp from any to $external port $services keep state
pass in on $external inet proto tcp from $irc to $external port 113 keep state
pass in on $external inet proto tcp from any to $external user proxy keep state
# IGMP IP-TV
pass in on $internal inet proto igmp from any to any allow-opts
pass in on $external proto tcp from any to 10.0.1.2 flags S/SA keep state
antispoof for $external
antispoof for $ipv6
antispoof for $local
antispoof for $internal

i know that this pf config is messy, and sure there are some misconfigures in it, i didnt had time to retest everything and get the syntax 100%...

the things i added for mpd and pptp are:

Code:

pass in on $pptp inet from any to any
pass out on $pptp inet from any to any
pass in proto gre all keep state
pass out proto gre all keep state

So the problem is that clients are able to connect to the pptp server, they get address from the pool - 10.0.0.50-100, but they cannot ping any system from the internal network - 10.0.0.0/24 unless i disable the PF, then the clients can ping the gateway 10.0.0.1 and samba starts working too...

thanks for the quick response DNAeon in hope to find the pf config bug..

1) Mine mpd.conf file is almost the same as yours, except that I don't have mpd.links

2) pf.conf configuration

What I understood is that your mpd5 daemon is running on your external IP, right?

Your internal network is 10.0.0.0/24 which also includes the ip pool for mpd - 10.0.0.50 - 10.0.0.100.

Upon a new pptp connection mpd will automatically create a new ngX interface associated to that specific connection - in your PF configuration you are limited to only one pptp connection, so instead of allowing that specific ng0 interface, allow the ip pool from mpd.conf.

Here are some parts from my pf.conf that you might find useful to fit into your configuration:

In the above configuration the hosts from the table allowed get access to the internet and since in that network is your ip pool from mpd, all clients connecting to your pptp client will have internet access too.

My setup differs with yours with only one more thing, and that is that my pptp server runs on the internal network, so I just have an additional rdr rule to pass the traffic.

Let me know if that works for you.

Regards,

__________________"I never think of the future. It comes soon enough." - A.E